Clonable PUF: On the Design of PUFs That Share Equivalent Responses

Takashi Sato
Graduate School of Informatics
Kyoto University
Kyoto, Japan

Yuki Tanaka
Graduate School of Informatics
Kyoto University
Kyoto, Japan

Song Bian
Graduate School of Informatics
Kyoto University
Kyoto, Japan

Abstract—While numerous physically unclonable functions (PUFs) were proposed in recent years, the conventional PUF-based authentication model is centralized by the data of challenge-response pairs (CRPs), particularly when $n$-party authentication is required. In this work, we propose a novel concept of clonable PUF (CPUF), wherein two or more PUFs having equivalent responses are manufactured to facilitate decentralized authentication. By design, cloning is only possible in the fabrication period and the responses are determined based on the variability induced during the fabrication. We establish the usage model and the circuit design of CPUFs. Numerical experiments using a circuit simulator show an ideal matching rate of responses between the CPUFs.

I. INTRODUCTION

Physically unclonable functions (PUFs) [1], [2] are attracting increasing attention in the field of hardware security. The PUFs can be used in various ways: chip authentication, cryptographic protocols [3]–[6], identification of IoT devices [7], etc. The PUF circuit serves as a function, $r_c = f_c(c)$, which returns a response $r$ to a challenge input $c$. Depending on the physical variation in a hardware instance, $\chi$, the function $f_\chi$ becomes unique and unclonable for each PUF instance. The set of challenge-response pairs (CRPs), $(c, r)$, is used as the chip-specific secret keys.

Consider an authentication between Alice and Bob [8] using a conventional PUF. In advance to the authentication, Alice collects a sufficient number of CRPs (CRP data) of a PUF, and physically passes the PUF to Bob. Then, in an authentication, Alice chooses a CRP $(c, r)$ from the stored CRP dataset and sends the challenge $c$ to Bob (Fig. 1a). When Bob receives the challenge, a response $r_\alpha$ obtained from the PUF is returned to Alice. Bob will be verified if the responses $r$ and $r_\alpha$ match.

Although the above PUF-based authentication scheme is widely recognized, there remain several inconveniences and issues. The major limitation is the CRP data size. It is difficult for Alice to store all the CRPs when the CRP space of the PUF is large. Alice can store only a part of the CRPs, which limits the number of authentication processes to that of the CRPs which Alice has. Another issue is the asymmetry of the authentication process. In the case of Fig. 1a, only Alice can select a challenge, for Bob does not know the CRP data that Alice has, resulting in an unidirectional authentication scheme. In addition, PUF only permits two-party (pairwise) authentication. When we want to simultaneously authenticate more than two users, e.g., if Alice wants to authenticate both Bob and Charlie with different PUFs, Alice must have the CRP data of Charlie’s PUF as well as that of Bob’s PUF. These issues are all associated with the collection of CRP data. Even worse, the existence of CRP data can be a security risk. If the CRP data are stolen or their transmission is intercepted, forged or counterfeit copies of the PUF can be made. The CRP data are thus the most vulnerable part of the authentication using conventional PUFs.

In this paper, we propose a novel security primitive, clonable PUF (CPUF), which resolves all the above issues. The CPUF is a set of two or more PUFs sharing equivalent responses. Although the name sounds contradictory, the cloning of the CPUF is allowed only once during the manufacturing process. After the fabrication, cloning is never possible as in the case of conventional PUFs.

The contribution of this paper is summarized as follows:

- We propose a novel PUF architecture, clonable PUF, with which true PUF-based peer-to-peer and/or $n$-party authentications without storing CRP database become possible.
- We propose an example circuit realization of the CPUF that generates equivalent responses. The proposed CPUF circuit consists of memristors whose values are determined by the inherent variability during fabrication.
- Through circuit simulations, we show excellent performance in the new metrics of equivalence for measuring the closeness of the responses of the CPUF, as well as
the existing metrics as a conventional PUF.

II. CLONABLE PUF: A CONCEPT

The proposed CPUF is a group of PUFs that share an equivalent response. Here, equivalent indicates that, for any challenges, the response bits of the CPUF instances are always equal. Obviously, the set of responses that are mutually negated can also be considered as equivalent. Because the responses of the PUFs are determined by physical variations, 100% match of the responses may not be expected in the fabricated chip. Even in such cases, we expect the responses of the CPUFs match at a very high probability close to 1. Meanwhile, an instance of the CPUF should satisfy other criteria that the conventional PUFs have to satisfy — randomness, uniqueness, robustness, etc. The CRP of a CPUF is eventually indistinguishable from the CRP of the conventional PUFs. A remarkable difference is that there is a known number of clones for a CPUF, whose CRPs are practically equal.

The example authentication process using CPUFs is shown in Fig. 1b. Alice and Bob respectively own paired instances of the CPUF, CPUF_α and CPUF_β. The CPUF has to be handed physically and securely. In the authentication, first, Alice (or Bob) generates a challenge, r, by a random number generator (RNG) and sends c to Bob (Alice). Then, Alice and Bob input c to CPUF_α and CPUF_β to obtain respective responses, r_α and r_β. Bob (Alice) sends r_β (r_α) back to Alice (Bob). Finally, Alice (Bob) verifies the responses for their equivalence. What we would like to stress here is that, in the authentication using CPUFs, no CRP data is recorded or used, and hence either Alice or Bob can equally initiate and carry out authentication. Similarly, n-party authentication can be carried out using CPUFs having n clones.

III. CIRCUIT DESIGN OF CPUF

A. Memristor

The CPUF circuit in this paper uses memristors as a key component. A memristor, which is predicted theoretically by Chua in 1970’s [9] and found by Strukov et al. in 2008 [10], is a passive circuit element. Typical structure of memristive devices includes a metal oxide layer in between two metal layers. The conductance between the metal layers varies depending on the history of the passed current. The I-V curve of a memristor is characterized by the hysteresis. The conductance G of the memristor becomes low when a positive high voltage is applied, whereas G becomes high when a negative high voltage is applied. The low and high conductance states are also called as high resistance state (HRS) and low resistance state (LRS), respectively.

The change of the conductance in the write operation is modeled as [11]

\[ \text{write: } \Delta G = \frac{\Delta T \exp(\sigma V_w)}{G}, \]

where \( V_w \) is a high voltage (write voltage), \( \Delta T \) is an application period of the write voltage, and \( \sigma \) is a constant that depends on the physical variation. During the read operation, we apply a low read voltage \( V_r \), so as not to change the current memristor state. The read current is simply given by Ohm’s law:

\[ \text{read: } I = GV_r. \]

We utilize the above characteristics and inherent variability of the memristors to design CPUF circuits.

B. Coupled-inverter CPUF

The manufacturing steps of the CPUF is summarized as follows:

1) Instances of the CPUFs, containing memristor array, are designed and placed side-by-side on a wafer having wire connections in between.
2) Once the wafer process is finished, a write voltage is serially applied to the connected CPUFs for determining the memristor values. Here, the written state solely depends on the mutual variation of the connected circuit elements. Hence, the responses of one memristor array are equivalent to those of the other array(s) connected, while the responses are unique and cannot be reproduced even by the manufacturer, as in the case of the conventional PUFs.
3) The wafer is diced into individual CPUF instances. The periphery circuits are destroyed in the chip cutting to preclude rewriting.

The circuit structure of the paired CPUF cells is shown in Fig. 2a. For the sake of simplicity, an example of two clones case is explained below but extention for larger number of clones is not difficult. Each CPUF cell is a pseudo inverter consisting of a memristor and a transistor. The on-chip wire connections in between the paired cells are established in a cross coupled manner to form a coupled inverter. In real implementations, the layouts of the two CPUF cells are drawn in the respective CPUF instances that are physically placed side by side, though a pair of CPUF cells is drawn adjacent for ease of understanding the circuit operation.

In the write operation, a write voltage, \( V_w \), is applied to program the CPUF pair. Due to the feedback operation of the two pseudo inverters, one of the memristors (\( G_{\text{L}} \) in this example), initially having higher conductance than the other, conducts a large negative current (Fig. 2b). This current turns the memristor into a HRS while the state of the other memristor (\( G_{\text{H}} \)) remains in its initial low resistance state. The difference of the initial memristor resistances is amplified and eventually forces memristor states to split into a distinct HRS or LRS. Therefore, in the proposed circuit, the unstable bits [12], in which two resistances are so close that the response becomes fluctuated upon the change of environment, are never generated. All cells generate stable response, which eliminates the use of error correction schemes, such as that in [13].

After the write operation, the CPUFs are split into two CPUFs: CPUF_α and CPUF_β. The responses of these CPUFs, \( r_\alpha \) and \( r_\beta \), are generated based on the state of the memristors: 1 for HRS and 0 for LRS by a simple comparator with a reference voltage \( V_{\text{ref}} \). In this circuit, \( r_\alpha \) and \( r_\beta \) are mutually
in inverted states, i.e., \( \alpha = \beta \), hence, these responses can be considered equivalent.

C. Coupled-inverter Array

The arrayed implementation of the proposed coupled-inverter CPUF is shown in Fig. 3. The top schematic diagram contains two arrays. The two CPUF chips are fabricated while sharing a write control circuit and shared wires that are in the scribe line. Once the CPUF is diced as individual chips, the read address generator, which selects a memristor cell, serves as a challenge, and the readout of the specified address becomes the response. Although this implementation of CPUF circuit is considered as a weak PUF [8], [13] having a limited number of CRPs, the number of CRPs can be increased exponentially by implementing the CPUF with a pseudo random function circuit, such as [14], [15], when a large CRP space is necessary.

Each CPUF array consists of a memristor array, read control circuit, row decoder, Vrail generator, column decoder, and input/output circuits. A write control circuit is implemented for a pair (or \( n \)-copies) of CPUFs that share an equivalent response. The write circuit is only used when setting the values of the CPUF arrays, and is later destroyed with dicing. These circuits are initially fabricated as one chip, indicated in the wafer map at the bottom left in the figure. A write protection circuit, which disconnects wire ends from the internal array, prevents rewriting of the memristors. Additionally, there is a write-counter circuit, WCNT, which monitors the number of assertions of the write_enable signal. Once WCNT detects the rewriting attempt through the exposed wires at the edge of the chips, the alarm signal is activated and the operation of the CPUF is disabled.

This schematic diagram also shows the detailed wire connections in the cell circuits formed between the paired memristor array. All cell circuits are designed identical, and the global connection is realized by the shared wires, SBL and SBLB, forming the pseudo inverter. The difference with those in Fig. 2a is the three switch transistors that determine the write/read modes. The input and output of the cell are connected to the bus lines running vertically, BL and BLB, which are shared with the cells located in the same column. These bus lines are then connected to SBL and SBLB that are running across all CPUFs. Here, the cells are cross coupled, as shown in Fig. 2a. The connection of SBL and SBLB are twisted so that they are respectively connected with BL and BLB, with which the inverters are connected back-to-back. A supply voltage, \( V_{dd} \), is provided to the pseudo inverters and switch inputs through VL and WL to enable response determination of all the cells in a row-parallel manner.

In the write mode, the conductance of the memristors are written by a row. First, SBL and SBLB are reset to \( V_{ss} \). Then, in writing \( i \)-th row of CPUF_\( \alpha \) and CPUF_\( \beta \), the row decoder and Vrail generator activate the cells in the \( i \)-th row through WL_\( i \), and \( V_{stress} \) is applied through VL_\( i \).

In the read mode, the responses are generated row by row. The select signal WL_\( i \) is asserted to enable \( i \)-th row. RL is now connected to the resistor (possibly realized by a diode-connection of a transistor) in the read circuit to generate the output voltage \( V_{out} \) corresponding to the conductance of the memristor. In this operation, a supply voltage is applied to BLB in order to turn on the pull-down transistor of the CPUF cell. \( V_{out} \) of each column in the activated row is compared with a reference voltage, \( V_{ref} \), to generate the response.

D. Design considerations

Adopting the helper data has become a common practice to improve the stability of the response of PUFs [13]. However, the hardware overhead required for such function is unignorable and the security may be compromised due to possible information leakage associated with the helper data. In general, this stability issue originates from the fact that the analog output signal, which is given to a comparator to determine a response bit either 0 or 1, tends to concentrate the analog output signal, which is given to a comparator to determine a response bit either 0 or 1, tends to concentrate
(associated with HRS and LRS) of the analog output exceeds the half of the supply voltage with no overlap. Hence, the application of ECC circuits can be safely eliminated.

IV. Evaluation

The performance of the proposed coupled-inverter CPUF is evaluated through simulations using a commercial circuit simulator [16] with a commercial 65 nm process library, and a memristor model based on the actual device-measurement results [17]. A Gaussian distribution is assumed for the variation of the threshold voltages of the MOS transistors. The initial conductance of the memristor is determined by changing the model parameter $g_{ap}$ [18], which is the length of high-impedance region, to follow a Gaussian distribution.

The proposed CPUF is evaluated in two configurations: $8 \times 8$ array of 8-parties and $16 \times 16$ array of 2-parties. In both configurations, the optional SRAM circuit is implemented and the SRAM-based assist operation is performed in the write mode. A 100 CPUF instances for each configuration were virtually fabricated and evaluated in terms of three criteria: equivalence ($E$), unpredictability, and reliability.

The equivalence is a novel criterion that we introduce to quantify the performance of the CPUFs, in which the matching rate between the corresponding responses of the CPUFs are evaluated. It is calculated as

$$E = \frac{1}{C} \sum_{c=1}^{C} g(f_{\alpha}(c), f_{\beta}(c), f_{\gamma}(c), ...),$$

where $C$ is the total number of challenges and $g$ is the indicator function that returns 1 (0) when the responses of the corresponding CPUFs are all equivalent (the responses of at least one CPUF are not equivalent).

The unpredictability is evaluated in five criteria: randomness ($H$), diffuseness ($D$), uniqueness ($U$) [19], context-tree weighting (CTW) [20] compression and, NIST tests [21]. The randomness represents the number of appearances of 0’s and 1’s in the response of a PUF. The diffuseness represents whether a single PUF returns different responses to different challenges. The uniqueness represents whether different PUFs return different responses for the same challenges. Each metric takes a value between 0 and 1, where 0 is the worst and 1 is the best. The CTW compression represents an upper bound of an entropy of the PUF’s responses [22]. The NIST tests are the set of randomness tests [21], represent unpredictability of PUF’s responses [23]. The result is shown as the rate of PUF instances that passed the tests.

The equivalence and unpredictability are summarized in Table I. The equivalence $E$ has been evaluated as ideal value of 1.0, meaning that the proposed CPUs always generate equivalent responses. The values of $R$, $D$, and $U$ are also very close to the ideal value, and the compressibility of CTW has been higher than 1.0. These results indicate that the proposed CPUF achieves very good performance as a standalone PUF, while there is a perfect match between the responses of CPUs. The CPUF instance is practically as good as and indistinguishable from the conventional PUFS.

As for the NIST tests, three tests: frequency, runs and cumulative sums, are applied to the $16 \times 16$ array as they require more than 100 bits. According to [21], the confidence interval is 0.96015 at the significance level of $\alpha = 0.01$ for the binary sequences, $m = 100$. The pass ratios in Table I of all tests are higher than the threshold confidence level. Thus, the responses of the proposed CPUF are considered sufficiently unpredictable.

Finally, the reliability of the proposed CPUFs was evaluated for the temperature range of $-40^\circ C$ and $+100^\circ C$ being the response of the nominal temperature of $25^\circ C$ as the reference. The reliability is also evaluated for the read supply voltage range of $\pm 0.24$ V (20%) against the supply voltage of 1.2 V. No response has been changed in any of the above environments. Excellent reliability of the proposed circuit has been observed, owing to the large voltage margin for the output $V_{out}$. The results are shown as in Fig. 4.

![Fig. 4. Distributions of the output voltage.](image)

V. Conclusion

In this paper, we proposed a novel concept of CPUF that realizes decentralized authentication without CRP database. A circuit realizations, coupled-inverter CPUF have been presented and evaluated. Through the circuit simulations, it was shown that the responses of the CPUFs are equivalent under process variations of memristors and MOSFETs. The existing metrics for conventional PUFs were also close to ideal values.

Acknowledgment

The authors acknowledge support through the activities of VDEC, the University of Tokyo in collaboration with Synopsys, Inc.
REFERENCES


